BlogLinux & scripting
SSH hardening: keys, ciphers, and CA-signed certificates
Disable passwords, pick modern ciphers, and issue SSH certificates so you stop managing authorized_keys by hand.
A default sshd accepts passwords, negotiates legacy ciphers, and trusts a pile of authorized_keys files nobody audits. Three changes fix most of it: keys only, modern crypto, and — once you outgrow key files — certificates signed by an SSH CA.
A hardened sshd_config
/etc/ssh/sshd_config.d/hardening.conf
PasswordAuthentication noPermitRootLogin noKbdInteractiveAuthentication noPubkeyAuthentication yesKexAlgorithms curve25519-sha256Ciphers [email protected],[email protected]MACs [email protected]AllowGroups ssh-users
Modern keys
ssh-keygen -t ed25519 -C "ana@laptop"shorter, faster, and safer than RSA-2048Certificates beat authorized_keys
At more than a handful of hosts, authorized_keys sprawl becomes unmanageable. Sign user keys with a CA and configure hosts to trust the CA once — deprovisioning is then a matter of not re-signing.
bash
# sign a user key, valid 8h, one principalssh-keygen -s ca_key -I ana -n ana -V +8h id_ed25519.pub# on hosts: TrustedUserCAKeys /etc/ssh/ca.pub
Short-lived by default
Certificate validity windows (-V +8h) give you expiring access for free — no key to forget to remove when someone leaves.